Address Manager LDAP Groups allow users from Lightweight Directory Access Protocol (LDAP) systems, such as Microsoft Active Directory or OpenLDAP, to log in to Address Manager. Use LDAP Groups when you already have users defined in another system and you do not want to re-create and maintain those users in Address Manager.
When users from an LDAP group log in to Address Manager, they are automatically added to the Users list, and the LDAP User column indicates that the users are LDAP users. Unlike standard Address Manager users, you do not need to create the user in Address Manager before the user can log in. Any users you add to the LDAP group on your LDAP server can log in to Address Manager.
You can assign access rights to the LDAP group, and you can assign access rights to individual LDAP users. If you have several LDAP groups with differing access rights, and a user belongs to multiple groups, or if you apply access rights to a user in addition to those that the user inherits from the LDAP group, the user receives the most permissive access rights.
To create LDAP groups, set up one or more LDAP authenticators. For information on adding authenticators, refer to Adding external authenticators.
To add an LDAP Group:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Users and Groups.
- Click the Groups tab.
- Under Groups, click New, and then select LDAP Group.
Under LDAP Group, define the following parameters:
In the Name Filter text field, type a string to search for and match LDAP objects. The string is not case sensitive, and you can use the * (asterisk) wildcard. If you do not use a wildcard, Address Manager tries to find an exact match for your string.Note: Examples:
- LDAP Server—select and LDAP authenticator from the drop-down list.
- Search Base—displays the search base distinguished name defined for the LDAP authenticator.
- Object Class—select the type of LDAP object to search for users. Selecting an option here changes the default setting in the Name Filter field. These options are defined when you add authenticators to Address Manager.
- Name Filter—select a name filter option from the
drop-down list. A default value appears here depending on the object you
selected in the Object Class field:
- group sets the Name Filter as cn (common name).
- organizationalUnit sets the Name Filter as ou (organizational unit).
- container sets the Name Filter as cn (common name).
- The string Addr* finds the LDAP common name Address Manager Users.
- The string addr* also finds the LDAP common name Address Manager Users. The Name Filter is not case sensitive.
- The string *Users* finds the LDAP common names Address Manager Users, DHCP Users, and Domain Users. The * wildcard can be used multiple times in the Name Filter.
- The string Address Manager does not find the LDAP common name Address Manager Users. When there is no wildcard, LDAP common names must be an exact match for the Name Filter.
Click Refresh. The LDAP Group
field presents a list of LDAP groups matching your Object
Class and Name Filter settings.
- LDAP Group—select an LDAP group from the drop-down list. If the group you're looking for doesn't appear in the list, modify your Object Class and Name Filter settings and click Refresh to update the list.
- Under Change Control, add comments, if required.
- Click Add.